In the past year, we have seen a large increase in the number and severity of attacks against our enterprise databases. Here's a quick checklist to follow or audit against to make sure your SQL servers are better protected.
1. Change your SQL password
By default, most installations set the SQL administrator password to either null or to 'sa'. Attackers know this and will commonly use this vulnerability to compromise not just the database or server, but the entire network. Your SQL server password must meet or exceed the complexity requirements of your site's existing password policy. Remember, SQL often runs with the highest system authority, therefore protecting this account from password guessing is akin to protecting one of the crown jewels. Compromise of the SQL account can have vast and devastating effects.
2. Patch your SQL server software
Patches come out for a variety of reasons - such as functional fixes and security. You must keep your SQL server patched to the current level. It is just as important as keeping your operating system and anti-virus software up to date. Vulnerability exploits against SQL implementations are becoming more and more popular in the attacker community.
3. Ensure that adequate input validation is in place on all SQL applications If your web site uses a SQL backend, even for simple authentication, you must make sure information passed to the SQL server is clean of imbedded SQL commands and redirections. For specific information on SQL server input validation mechanisms, check out the SQL security FAQ at http://www.sqlsecurity.com/faq-inj.asp.
That's it. Follow these three steps and you will repel a great deal of SQL attacks. For deeper security improvements of SQL installations you should check out the SANS reading room for articles such as http://rr.sans.org/win/SQL_sec.php which explains SQL security baselines and functionality.